Wireshark notes

Started by dlots, October 26, 2017, 09:18:24 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

dlots

October 26, 2017, 09:18:24 AM
Did a class with Laura Chappell a couple weeks ago, I put up a few notes over at.

https://packetpushers.net/wireshark-notes/

Dieselboy

#1
November 14, 2017, 07:24:25 PM
Good man!

BTW.. I want to set up some Ansible Playbooks for using wireshark. The idea I have is that you would query and set specific router IP's and interfaces to capture upon and start and stop captures simultaneously from one playbook / place. It can be annoying to stop, clear, restart captures in multiple places :)

dlots

#2
November 15, 2017, 08:13:34 AM Last Edit: November 15, 2017, 08:15:43 AM by dlots
That shouldn't be to hard with Ansible, but my Ansible skills suck. 


My guess is you would need something like this (only with more variables for ACL lines and such)
# are comments
commands are taken from
https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html
Code Select

  - name: START_CAPTURE
    ios_config:
#Credentals
      provider: "{{ provider }}"
      authorize: yes
      lines:
        - monitor capture buffer BUF size 2048 max-size 1518 linear
        - ip access-list extended BUF-FILTER
        - permit ip host 192.168.1.1 host 172.16.1.1
        - permit ip host 172.16.1.1 host 192.168.1.1
        - monitor capture buffer BUF filter access-list BUF-FILTER
        - monitor capture point ip cef POINT {{ interface}} both
        - monitor capture point associate POINT BUF
        - monitor capture point start POINT


Code Select


  - name: STOP_CAPTURE
    ios_config:
#Credentals
      provider: "{{ provider }}"
      authorize: yes
      lines:
        - monitor capture point stop POINT
        - show monitor capture buffer BUF dump
        - monitor capture buffer BUF export tftp://{{tftp_server}}/{{cap_name}}.pcap
        - no monitor capture point ip cef POINT {{ interface}} both
        - no monitor capture buffer BUF


Here are the notes I have, they were more for me than for other people so beware of that.



STANDARD VARIABLES
{{ inventory_hostname}}
   The refrence from the host file


Most files you need to mess with are in
/etc/ansible



Hosts are in "hosts"
   a group is in [group-name]
   
   Can be referenced by group name, IP, or FQDN (I think)
   
   
Account management
   Creating Encrypted Files
   To create a new encrypted data file, run the following command:
      ansible-vault create dhimes.yml
   Edit it
      ansible-vault edit dhimes.yml
   Run playbook with this
      ansible-playbook site.yml --ask-vault-pass

Variables follow the Jinja2 format
   • Define a variable: {{ butt }}
   • When refrencing a variable in a yaml file use Quotes (" ")
   • "Facts" a variable you discovered before execution (With Gather_Facts?)
      ○ Can be legnthy
   • http://docs.ansible.com/ansible/playbooks_variables
   

# = Comment
   A lot of these will be from http://jedelman.com/home/ansible-for-networking/
Sample Playbook
Code Select

---
- hosts: desktop_test
#When Ansible connects to a device, it can gather some facts about the device automatically.
  gather_facts: no
#Local means all work is done from the server, not on the client.  Pretty much everything we do with network stuff will be "local".
  connection: local

#pre_tasks aren't required, but can be used for a way to execute tasks before roles are applied
  tasks:
#Will be displayed when the playbook is run
  - name: OBTAIN LOGIN CREDENTIALS
    include_vars: secrets.yaml

  - name: DEFINE PROVIDER
    set_fact:
      provider:
        host: "{{ inventory_hostname }}"
        username: "{{ creds['username'] }}"
        password: "{{ creds['password'] }}"
        auth_pass: "{{ creds['auth_pass'] }}"


  - name: SET ACL
    ios_config:
      provider: "{{ provider }}"
      authorize: yes
      lines:
        - int fa0/0
        - no ip access-group bob in
        - no ip access-group bob out
        - no ip access-list extended bob

Sample Hosts file named "hosts"
Code Select

[AD_login_test]
10.250.8.75
10.250.8.76

[desktop_test]
10.27.20.184

Sample Accounts named "secrets.yaml"
Code Select

---
creds:
  username: Admin
  password: cisco123
  auth_pass:cisco123

______________________________________________

RUN COMMANDS AND STORE THEIR INFO IN A VARIABLE

  - name: Pull_RUNNING_CONFIG
    ios_command:
      provider: "{{ provider }}"
      authorize: yes
#Commands to run
      commands : show run
#Set the output to the variable "running"
    register : running

  - name: Show_Run
    debug:
#Print the variable
      var: running.stdout
---------------------------------------------------------------------------------------
COPY VARIABLE TO A FILE
  - name: put_into_file
    copy:
        content:  "{{ running }}"
        dest: ./{{ inventory_hostname }}.txt
~


Dieselboy

#3
November 16, 2017, 06:50:34 AM
Wow man thanks for that! I'll give it a go
Print
Go Up Pages1
User actions